I really appreciate you directly going to the community for feedback.
As someone who writes software for IoT devices and has worked in the past on security in the IoT space this is sorely needed. By far the biggest issue in my view is that manufacturers are not motivated to take device security seriously since they are largely isolated from any fallout. Device manufacturers already have to pass certification for RF emissions and safety among other things and should have to pass certification for at least a basic security audit on the device and the services the device connects to. Even self-certification would improve the current situation.
For many device types there exists some form of open source OTA update software or a commercial offering. In the last few years there has been significant maturing of the tooling in this space but the security aspect is often left as optional even though the tooling often makes it fairly easy to add. At this point I think the industry just needs a little push to make secure OTA updates the standard.
An example would be an app for associating a device without a screen on to a wireless network. Think IoT devices or Alexa. Saves the user from having to type in the SSID which is a pain.
But #2 historically does not give better returns. Since the information is already public it has already been included in the price of the stock. The vast majority of investors are not smarter than Wall Street.
As someone who has done some gambling in the stock market using this kind of thinking it has not been a good strategy compared to just buying and holding index funds. Sometimes I get lucky and sometimes I get unlucky buying individual stocks but my most best returns have been buying broad index funds and holding them.
As someone who writes software for IoT devices and has worked in the past on security in the IoT space this is sorely needed. By far the biggest issue in my view is that manufacturers are not motivated to take device security seriously since they are largely isolated from any fallout. Device manufacturers already have to pass certification for RF emissions and safety among other things and should have to pass certification for at least a basic security audit on the device and the services the device connects to. Even self-certification would improve the current situation.
For many device types there exists some form of open source OTA update software or a commercial offering. In the last few years there has been significant maturing of the tooling in this space but the security aspect is often left as optional even though the tooling often makes it fairly easy to add. At this point I think the industry just needs a little push to make secure OTA updates the standard.